In a network attack using a pseudo source address, a hacker machine sends a great number of transmission control protocol (TCP) synchronization (SYN) messages with pseudo source addresses to a victim host computer, thus occupying network address translation (NAT) session resources of a security gateway, finally fully occupying a NAT session table of the security gateway, and causing all customers within a local area network unable to use the network normally.
URPF is an effective measure for enhancing routing security, and is mainly used for preventing source address spoofing-based network attack behaviors. URPF employs the following data packet forwarding mechanism: when a router receives a data packet, it checks a routing table and determines whether the routing that returns the source IP address of the data packet enters from an interface where the data packet is received; if yes, the data packet is forwarded normally; otherwise, it is deemed that the source IP address is a pseudo address, and then the data packet is discarded. A reverse routing forwarding mechanism plays a certain role in preventing attacks carried out through malicious pseudo source address and distributed denial of service (DDoS).
For example, if a router receives a data packet with a source IP address of a, but there is no route (namely the route required for reverse data packet transmission) provided for the IP address of a in the routing table, then the router will discard the data packet. The URPF prevents an SMURF attack and other IP address disguise-based attacks at an internet server provider (ISP) (office end), in this way, the network and clients can be protected from intrusion from the internet and other places.
From the perspective of protection effect, the equipment is more marginal, the network protection effect is better. Meanwhile, for a marginal equipment, the network traffic is relatively lower, and network forwarding performance is little influenced when the protection function is activated.
Therefore, it is vital to realize URPF. However, an IPv6 network lacks a technology for realizing source address filter control at a bandwidth access equipment at present.